[UPHPU] restricting access to assets on a public server

Wade Preston Shearer wadeshearer.lists at me.com
Sat Apr 9 12:51:50 MDT 2011

On 8 Apr 2011, at 16:33, Wade Preston Shearer wrote:

> The only thing I have thought of thus far is putting the assets outside of web root on the other server and reading them via a web service that requires authentication. The service would authenticate, read the file, and stream the bytes over to the requesting server where it would then stream it out to the browser (forced header download).

I think I've come up with another option which I think might be better (thanks, Victor, for pointing me in this direction). Streaming the file through a web service would require the entire file to be read into memory, which wouldn't work for large files.

So, another approach could be to generate a unique, single-use, expiring token that is required to download the file. This would control access but allow the file to be downloaded directly from the server it is hosted on.

It would work like this:

Server A hosts a page with a link for downloading a file from server B. The link isn't to the actual file, but rather to a script on server A with the path to the file on server B. When the link is clicked, the script communicates with server B and asks it to generate a unique, single-use, expiring token. The token is stored on server B and then returned. The script on server A then does a header redirect to a script on server B, passing the token as a query parameter. The script on server B checks to see if the token is valid and is not older than one minute. If this is true, it reads the file from the file system (outside of webroot) and initiates the headers to stream it down to the browser (download). Once it's done, the script deletes the token.

What do you think?

More information about the UPHPU mailing list